Methods and apparatus for anomaly detections

ABSTRACT

This application relates to apparatus and methods for identifying anomalies within a time series. In some examples, a computing device receives sales data identifying a sale of at least one item, and aggregates the received data in a database. The computing device may generate a plurality of time series based on the aggregated sales data. The computing device may extract features from the plurality of time series, and generate an alerting algorithm that is based on clusters of the extracted features. The computing device may apply the alerting algorithm to a time series generated from received sales data to determine whether the time series is an anomaly. Based on the determination, the computing device may generate and transmit anomaly data identifying whether the time series is an anomaly, such as to another computing device.

TECHNICAL FIELD

The disclosure relates generally to anomaly detection and, morespecifically, to identifying fraudulent retail activities.

BACKGROUND

Some transactions, such as some retail transactions, are fraudulent. Forexample, a customer may attempt to buy an item from a retailer's websiteusing a stolen credit card. Because the owner of the credit card has notconsented to the purchase, the transaction is fraudulent. Anotherexample may be during an account take over, where a fraudster has hackedan online account and has used a credit card stored in the account tomake a purchase. As another example, a customer may attempt to return anitem to a retailer, where the item was purchased from a different store.In some cases, a customer may present another's identification (ID) card(e.g., driver's license) when attempting to return an item. In somecases, a customer may buy and use an item, and may attempt to return theitem when the person no longer has a need for the item. In each of theseexamples, the customer is involved in a fraudulent activity.

Fraudulent activities may cause financial harm to a company, such as aretailer. For example, the company may incur expense associated with notreceiving payment for the item for an unauthorized purchase made with acredit card. As another example, a company may incur expense inaccepting an item for return, and returning payment for the item, whenthe item was originally purchased from a different retailer. The companymay also incur expenses related to inventorying and stocking a returneditem, attempting to resell the item, returning the item to amanufacturer, or disposing the item. As such, a retailer may benefitfrom identifying fraudulent transactions.

SUMMARY

The embodiments described herein are directed to automaticallyidentifying anomalies, such as fraudulent transactions. The embodimentsmay identify a fraudulent activity as it is taking place, for example,allowing a retailer to stop or not allow the transaction. Theembodiments may allow a retailer to more closely scrutinize thetransaction to determine if fraud is indeed involved. In some examples,the embodiments may allow a retailer to determine fraudulenttransactions that have already taken place, allowing the retailer toidentify one or more individuals associated with the fraudulenttransactions. As a result, the embodiments may allow a retailer todecrease expenses related to fraudulent transactions, among otheradvantages recognized by those of ordinary skill in the art having thebenefit of these disclosures.

In accordance with various embodiments, exemplary systems may beimplemented in any suitable hardware or hardware and software, such asin any suitable computing device. For example, in some embodiments, acomputing device is configured to receive sales data identifying a saleof at least one item. For example, the sales data may be received from acomputing device located at a store when a customer purchases an item.The computing device may be configured to generate at least one timeseries based on the received sales data. The computing device may alsobe configured to obtain alerting algorithm data identifying an alertingalgorithm that is based on clusters of feature data, and apply thealerting algorithm to the at least one time series. The computing devicemay be configured to determine whether the at least one time series isan anomaly (e.g., fraudulent transaction) based on the application ofthe alerting algorithm. The computing device may also be configured togenerate anomaly data identifying whether the at least one time seriesis an anomaly based on the determination. The computing device may beconfigured to transmit, in response to the received sales data, theanomaly data identifying whether the at least one time series is ananomaly. For example, the computing device may transmit the anomaly datato the computing device located at the store.

In some examples, the computing device is configured to generate thealerting algorithm based on aggregated data.

In some embodiments, a method is provided that includes receiving salesdata identifying a sale of at least one item, and generating at leastone time series based on the received sales data. The method may alsoinclude obtaining alerting algorithm data identifying an alertingalgorithm that is based on clusters of feature data, and applying thealerting algorithm to the at least one time series. The method mayfurther include determining whether the at least one time series is ananomaly based on the application of the alerting algorithm. The methodmay include generating, based on the determination, anomaly dataidentifying whether the at least one time series is an anomaly. Themethod may also include transmitting, in response to the received salesdata, the anomaly data identifying whether the at least one time seriesis an anomaly.

In some examples, a method may include generating the alerting algorithmbased on aggregated data.

In yet other embodiments, a non-transitory computer readable medium hasinstructions stored thereon, where the instructions, when executed by atleast one processor, cause a computing device to perform operations thatinclude receiving sales data identifying a sale of at least one item,and generating at least one time series based on the received salesdata. The operations may also include obtaining alerting algorithm dataidentifying an alerting algorithm that is based on clusters of featuredata, and applying the alerting algorithm to the at least one timeseries. The operations may further include determining whether the atleast one time series is an anomaly based on the application of thealerting algorithm. The operations may include generating, based on thedetermination, anomaly data identifying whether the at least one timeseries is an anomaly. The operations may also include transmitting, inresponse to the received sales data, the anomaly data identifyingwhether the at least one time series is an anomaly.

In some examples, a non-transitory computer readable medium hasinstructions stored thereon, where the instructions, when executed by atleast one processor, cause a computing device to perform operations thatinclude generating the alerting algorithm based on aggregated data.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the present disclosures will be morefully disclosed in, or rendered obvious by the following detaileddescriptions of example embodiments. The detailed descriptions of theexample embodiments are to be considered together with the accompanyingdrawings wherein like numbers refer to like parts and further wherein:

FIG. 1 is a block diagram of a fraud detection system in accordance withsome embodiments;

FIG. 2 is a block diagram of the fraud detection computing device of thefraud detection system of FIG. 1 in accordance with some embodiments;

FIG. 3 is a block diagram illustrating examples of various portions ofthe fraud detection system of FIG. 1 in accordance with someembodiments;

FIG. 4 is a block diagram illustrating examples of various portions ofthe fraud detection computing device of FIG. 1 in accordance with someembodiments;

FIG. 5 is a flowchart of an example method that can be carried out bythe fraud detection system 100 of FIG. 1 in accordance with someembodiments;

FIG. 6 is a flowchart of another example method that can be carried outby the fraud detection system 100 of FIG. 1 in accordance with someembodiments; and

FIGS. 7A and 7B illustrate portions of clusters that may be generated bythe fraud detection computing device of FIG. 1.

DETAILED DESCRIPTION

The description of the preferred embodiments is intended to be read inconnection with the accompanying drawings, which are to be consideredpart of the entire written description of these disclosures. While thepresent disclosure is susceptible to various modifications andalternative forms, specific embodiments are shown by way of example inthe drawings and will be described in detail herein. The objectives andadvantages of the claimed subject matter will become more apparent fromthe following detailed description of these exemplary embodiments inconnection with the accompanying drawings.

It should be understood, however, that the present disclosure is notintended to be limited to the particular forms disclosed. Rather, thepresent disclosure covers all modifications, equivalents, andalternatives that fall within the spirit and scope of these exemplaryembodiments. The terms “couple,” “coupled,” “operatively coupled,”“operatively connected,” and the like should be broadly understood torefer to connecting devices or components together either mechanically,electrically, wired, wirelessly, or otherwise, such that the connectionallows the pertinent devices or components to operate (e.g.,communicate) with each other as intended by virtue of that relationship.

Turning to the drawings, FIG. 1 illustrates a block diagram of a frauddetection system 100 that includes a fraud detection computing device102 (e.g., a server, such as an application server), a server 104 (e.g.,a web server), workstation(s) 106, database 116, and multiple customercomputing devices 110, 112, 114 operatively coupled over network 118.Fraud detection computing device 102, workstation(s) 106, server 104,and multiple customer computing devices 110, 112, 114 can each be anysuitable computing device that includes any hardware or hardware andsoftware combination for processing and handling information. Inaddition, each can transmit data to, and receive data from,communication network 118.

For example, fraud detection computing device 102 can be a computer, aworkstation, a laptop, a server such as a cloud-based server, or anyother suitable device. Each of multiple customer computing devices 110,112, 114 can be a mobile device such as a cellular phone, a laptop, acomputer, a table, a personal assistant device, a voice assistantdevice, a digital assistant, or any other suitable device.

Additionally, each of fraud detection computing device 102, server 104,workstations 106, and multiple customer computing devices 110, 112, 114can include one or more processors, one or more field-programmable gatearrays (FPGAs), one or more application-specific integrated circuits(ASICs), one or more state machines, digital circuitry, or any othersuitable circuitry.

Although FIG. 1 illustrates three customer computing devices 110, 112,114, fraud detection system 100 can include any number of customercomputing devices 110, 112, 114. Similarly, fraud detection system 100can include any number of workstation(s) 106, fraud detection computingdevices 102, servers 104, and databases 116.

Workstation(s) 106 are operably coupled to communication network 118 viarouter (or switch) 108. Workstation(s) 106 and/or router 108 may belocated at a store 109, for example. Workstation(s) 106 can communicatewith fraud detection computing device 102 over communication network118. The workstation(s) 106 may send data to, and receive data from,fraud detection computing device 102. For example, the workstation(s)106 may transmit data related to a return, such as the return of anitem, to fraud detection computing device 102. In response, frauddetection computing device 102 may transmit an indication of whether thereturn of the item is suspected of being fraudulent. Workstation(s) 106may also communicate with server 104. For example, server 104 may be aweb server and host one or more web pages, such as a retailer's website.Workstation(s) 106 may be operable to access and program (e.g.,configure) the webpages hosted by server 104.

Fraud detection computing device 102 is operable to communicate withdatabase 116 over communication network 118. For example, frauddetection computing device 102 can store data to, and read data from,database 116. Database 116 can be a remote storage device, such as acloud-based server, a memory device on another application server, anetworked computer, or any other suitable remote storage. Although shownremote to fraud detection computing device 102, in some examples,database 116 can be a local storage device, such as a hard drive, anon-volatile memory, or a USB stick.

Communication network 118 can be a WiFi® network, a cellular networksuch as a 3GPP® network, a Bluetooth® network, a satellite network, awireless local area network (LAN), a network utilizing radio-frequency(RF) communication protocols, a Near Field Communication (NFC) network,a wireless Metropolitan Area Network (MAN) connecting multiple wirelessLANs, a wide area network (WAN), or any other suitable network.Communication network 118 can provide access to, for example, theInternet.

First customer computing device 110, second customer computing device112, and N^(th) customer computing device 114 may communicate with webserver 104 over communication network 118. For example, web server 104may host one or more webpages of a website. Each of multiple computingdevices 110, 112, 114 may be operable to view, access, and interact withthe webpages hosted by web server 104. In some examples, web server 104hosts a web page for a retailer that allows for the purchase of items.For example, an operator of one of multiple computing devices 110, 112,114 may access the web page hosted by web server 104, add one or moreitems to an online shopping cart of the web page, and perform an onlinecheckout of the shopping cart to purchase the items.

In some examples, the web page may be operated by a retailer and allowfor the initiation of the return of an item. For example, an operator ofone of multiple computing devices 110, 112, 114 may submit informationon the web page to return an item. In these examples, web server 104 maytransmit data that identifies the attempted return to fraud detectioncomputing device 102. In response, fraud detection computing device 102may transmit an indication of whether the attempted return is suspectedof being fraudulent. The customer may complete the return of the item bydropping the item off at a retail location of the retailer. In someexamples, the customer may complete the return of the item by mailingthe item to the retailer.

Fraud detection system 100 may allow for the identification ofactivities that may be fraudulent. For example, fraud detection system100 may identify an attempted in-store return of an item as fraudulent.Fraud detection system 100 may also identify online initiated returns asfraudulent. In some examples, fraud detection system 100 may identifycompleted returns as fraudulent (e.g., the item has been returned to aretailer and the customer has received payment for the returned item).

In some examples, fraud detection system 100 generates a plurality oftime series based on sales data. For example, database 116 may storesales data related to the online, or in-store, sale of items. Frauddetection computing device 102 may generate a time series identifyingvalues of the sales data periodically over a period of time (e.g.,monthly over a period of a year, weekly over a period of a year, etc.).For example, each time series may be a sequence of numbers indexed bytime, such as indicated in the equation below:

$\begin{matrix}{{s = \left( {s_{t_{1}},\ldots\;,s_{t_{n}}} \right)},{{where}\mspace{14mu} t_{1}},{\ldots\mspace{14mu} t_{n}\mspace{14mu}{are}\mspace{14mu}{timestamps}}} & {{eq}.\mspace{14mu}(1)}\end{matrix}$

In some examples, the length of time between two consecutive timestampsare equal, such as identified by the equation below:t _(i+1) −t _(i) =t _(j+1) −t _(j)for all 1≤i<j≤n−1eq.  (2)

As such, to simply the notation s_(i) may be used instead of s_(t) _(i)for all 1≤i≤n, such as:s=(s ₁ , . . . ,s _(n))  eq. (3)

The value of each s_(i) in time series s=(s₁, . . . , s_(n)) may be thesum of m contributors. That is:s _(i)=Σ_(j)=1^(m) x _(j,i)for all 1≤i≤n  eq. (4)

Then for each 1≤j≤m, the sequence x_(j) (x_(j,1) . . . , x_(j,n)) can beregarded as a time series with the same time range as s. A time seriesbundle may include a set of time series X={x₁, . . . , x_(m)}. Forexample, a retailer's daily sales amount may be represented as a timeseries, which each time series represents sales with a particular creditcard number. That is, the daily sales amount associated with each creditcard is an individual contributor to the total sales for that day. Assuch, the daily sales amount for all credit cards, as represented bytime series, may form a time series bundle.

Based on the time series bundle, fraud detection system 100 may detectwhether each time series associated with each credit card is associatedwith abnormal shopping behavior (e.g., possible fraudulent activity).For example, fraud detection computing device 102 may detect whether atime series is associated with sharp increases in shopping amount. Insome examples, each time series represents a total sales amount from anindividual IP address, a shipping address, or any other suitablerepresentation. In some examples, the time series are based on more thanone attribute. For example, each time series may be based on a pair ofvalues, such as time series for each credit card number and productcategory. In this example, fraud detection computing device 102 maymonitor whether each credit card has an abnormal increase/decrease inshopping amount in each product category.

To detect anomalies, fraud detection computing device 102 may generatedata that identifies and characterizes clusters of feature data. Thegeneration of the clusters may include three steps: sampling, featureextraction and standardization, and clustering.

Sampling

For a training data set X={x₁, . . . , x_(m)}, where eachx_(j)=(x_(j,1), . . . , x_(j,n)) is a time series with n timestamps,fraud detection computing device 102 generates a model hyperparameter,d, which may be an integer such that 0≤d≤n. The hyperparameter d mayidentify the number of timestamps to “look back” to determine whether ananomaly exists. The goal of the sampling step is to collect a set ofsegments of length d from the time series uniformly at random (e.g.,with replacement). Given N, the number of training segments to sample(e.g., 1 million), an algorithm, such as the sampling algorithm shownbelow, may be employed to sample a training data set to generate asampled training set D.

1. let D = { }; 2. for k = 1, ..., N: 3. Choose j uniformly at randomfrom {1, ... , m}; 4. Choose i uniformly at random from {1, ... , n −d}; 5. Add the segment (x_(j.i), x_(j,i+1), ... , x_(j,i+d−1)) to D; 6.return D.

Feature Extraction and Standardization

Given the sampled training set D generated during the sampling step,fraud detection computing device 102 generates features for each segmentof D. For example, given a segment z=(z₀, . . . , z_(d)) in D, frauddetection computing device 102 may compute the following features:z_(d)  eq. (5)z _(d) −z _(j)for 0≤j≤d−1  eq. (6)∂^(j) z _(d)for 2≤j≤d, where ∂⁰ z _(d) =z _(d)and ∂^(j) z _(d)=∂^(j−1) z_(d)−∂^(j−1) z _(d−1)  eq. (7)

For example, suppose fraud detection computing device 102 generates asegment z=(2, 5, 0, 7, 3) with d=4. Based on the execution of equations(5) through (7), the following features may be identified:∂⁰z₄=z₄=3,∂⁰z₃=z₃=7,∂⁰z₂=z₂=0,∂⁰z₁=z₁=5,∂⁰z₀=z₀=2;z ₄ −z ₃=3−7=−4,z ₄ −z ₂=3−0=3,z ₄ −z ₁=3−5=−2,z ₄ −z ₀=3−2=1;∂¹ z ₄=∂₀ z ₄−∂⁰ z ₃ =z ₄ −z ₃=−4,∂¹ z ₃=∂⁰ z ₃−∂⁰ z ₂ =z ₃ −z ₂=7,∂¹ z ₂=∂⁰ z ₂−∂⁰ z ₁ =z ₂ −z ₁=−5,∂⁰ z ₁=∂⁰ z ₁−∂⁰ z ₀ =z ₁ −z ₀=3;∂² z ₄=∂¹ z ₄−∂¹ z ₃=−4−7=−11,∂² z ₃=∂¹ z ₃−∂¹ z ₂=7−(−5)=12,∂² z ₂=∂¹ z ₂−∂¹ z ₁=−5−3=−8;∂³ z ₄=∂² z ₄−∂² z ₃=−11−12=−23,∂³ z ₃=∂² z ₃−∂² z ₂=12−(−8)=20;∂⁴ z ₄=∂³ z ₄−∂³ z ₃=−23−20=−43.

Fraud detection computing device 102 may then generate a features vectorthat includes the determined (e.g., derived) features. In other words,fraud detection computing device 102 maps each segment z to a2d-dimensional feature space. For example, in the example from justabove, fraud detection computing device 102 may generate the8-dimensional features vector (z₄, z₄−z₃, z₄−z₂, z₄−z₁, z₄−z₀, ∂²z₄,∂³z₄, ∂⁴z₄)=(3, −4, 3, −2, 1, −11, −23, −43).

Fraud detection computing device 102 may then standardize the featuresby, for example, removing the mean and dividing by the standarddeviation. For example, assume for a segment z_(i) that its features aredefined as (z_(i,1) . . . , z_(i,2d)). Then for all 1≤i≤D and all1≤j≤2d, Fraud detection computing device 102 computes:

$\begin{matrix}{{{\overset{\sim}{z}}_{i,j} = {\left( {z_{i,j} - \mu_{j}} \right)/\sigma_{j}}}{{where}\text{:}}} & {{eq}.\mspace{11mu}(8)} \\{{\mu_{j} = {\frac{1}{D}{\sum_{i = 1}^{D}z_{i,j}}}};{and}} & {{eq}.\mspace{11mu}(9)} \\{\sigma_{j} = {\sqrt{\frac{\sum_{i = 1}^{D}\left( {z_{i,j} - \mu_{j}} \right)^{2}}{D - 1}}.}} & {{eq}.\mspace{11mu}(10)}\end{matrix}$

After this transformation, fraud detection computing device 102 may mapeach sample segment z_(i) into the standardized feature space accordingto:z _(i) →{tilde over (z)} _(i)=({tilde over (z)} _(i,1) , . . . ,{tildeover (z)} _(i,2d))  eq. (11)

Clustering

After feature extraction, fraud detection computing device 102 maycluster the samples using a K-Means algorithm, where the K-Meansalgorithm is known in the art. In order to find the optimal k, whichrepresents the number of clusters to be used in the K-Means algorithm,for use in the K-Means algorithm, fraud detection computing device 102executes a K-Means algorithm over a range of values. For example, anexample range of k may be from 4 to 20. For each k in this range, frauddetection computing device 102 executes the K-Means algorithm r times,where r may be an integer. In some examples, r is a small integer suchas 5.

Fraud detection computing device 102 may then calculate the averageSilhouette value (i.e., a metric for measuring the quality of theclustering, as recognized in the art). Fraud detection computing device102 may then identify (e.g., select) the k whose average Silhouettevalue (e.g., score) is the highest. For example, given a training setZ={{tilde over (z)}₁, . . . {tilde over (z)}_(D)}, an algorithm forselecting k may be summarized, such as the selection algorithm shownbelow as shown.

 1. let k = 4;  2. let high = 0;  3. for i = 4, ... ,20:  4. let score =0;  5. for j = 1, ... ,5:  6. let clusters = K-Means (Z, i);  7. letscore = score + Silhouette (clusters);  8. if score > hi:  9. let k = iand high = score; 10. return k.

Once the k value has been identified, fraud detection computing device102 may use the k value to cluster Z using the K-Means algorithm.

Anomaly Detection

Fraud detection computing device 102 may then detect anomalies based onthe generated clusters. For example, assume fraud detection computingdevice 102 generates a set of clusters C₁, . . . , C_(k). Frauddetection computing device 102 identifies instances that lie outsidemajor clusters as anomalies. In some examples, fraud detection computingdevice 102 generates a threshold parameter θ, such as, for example,0≤θ≤1, which indicates a sensitivity of the alerting system (e.g., apercentage). For example, the larger that parameter θ is, the morealerts will be generated by fraud detection system 100, as describedbelow.

Fraud detection computing device 102 may filter out clusters whose sizeis less than a threshold amount, such as θN, where N is the number oftraining examples. For example, assume that for the set of clusters C₁,. . . , C_(k), fraud detection computing 102 determines that a number ofthe set of clusters do not include at least θN training samples, whereclusters that do include at least as θN training samples are identifiedas C₁, . . . , C_(r). For each cluster C_(i), we regard it as ahyperball in a 2d-dimensional space, which has center coordinatesc_(i)=(c_(i,1), . . . , c_(i,2d)) and radius r_(i).

Take the example clusters shown in FIG. 7A for example. Assume that theK-Means algorithm in the clustering step generates four clusters, whichare represented by four hyperballs, C₁, C₂, C₃, C₄. From the figure, wenotice that C₂ and C₃ contain few data points, which, for purposes ofthis example, assume are below a threshold, for example, as given by ON.As such, fraud detection computing device 102 may identify C₂ and C₃ asminor clusters, and C₁ and C₄ as major clusters.

To determine whether an anomaly exists, fraud detection computing device102 determines whether a time series, which may correspond to a trainingset time series in a time series bundle, maps to (e.g., is containedwithin) a major cluster. If the time series does not map to a majorcluster, the time series is associated with an anomaly, such as afraudulent transaction. Fraud detection computing device 102 may thengenerate an anomaly alert identifying the anomaly.

Fraud detection computing device 102 may also generate an indication ofhow likely a given time series is an anomaly, i.e., risk level. Forexample, fraud detection computing device 102 may compute the shortestdistance to any one of the major clusters to determine how likely agiven time series is an anomaly. For example, FIG. 7B illustrates thetwo major clusters, C₁ and C₄, with radius r₁ and r₄, respectively.Suppose fraud detection computing device 102 obtains two new time seriesp and q, as illustrated in the figure. Since p lies inside C₄, frauddetection computing device 102 will identify it as normal. In contrast,the data point q lies outside both major clusters, and thus frauddetection computing device 102 will identify it as an anomaly.

Suppose the distances from q to the center of C₁ and C₄ are d₁ and d₄,respectively. Fraud detection computing device 102 may compute the risklevel of q according to the equation below:min(d ₁ −r ₁ ,d ₄ −r ₄)=d ₁ −r ₁  eq. (12)

In other words, the risk level is based on the shortest distance to amajor cluster. The risk level of a time series may indicate how unlikelyit is to observe the event. In some examples, the higher the risk levelis, the more abnormal the event is considered to be. Fraud detectioncomputing device 102 may sort the anomaly alerts by the computed risklevel.

For example, assume time series x_(i)=(x_(i,1), . . . , x_(i,t)) is in asame time series bundle as (e.g., corresponds with) a training data setfraud detection computing device 102 was trained with. At a time t,fraud detection computing device 102 may detect whether or not x_(i) isan anomaly using the alerting algorithm shown below.

 1. let z = (x_(i,t−d), ... , x_(i,t));  2. Transform z into thestandardized feature space and get {tilde over (z)};  3. let risk = ∞; 4. for i = 1, ... , r:  5. let C_(i) be the major cluster with centercoordinates c_(i) and radius r_(i);  6. let r = ∥{tilde over (z)} −c_(i)∥₂;  7. if r ≤ r_(i):  8. return 0;  9. let risk = min(r − r_(i),risk); 10. return risk.

For example, if x_(i) corresponds to a major cluster, the algorithmreturns 0 indicating x_(i) is not an anomaly. Otherwise, the algorithmmay return a risk value, indicating that the time series is an anomalyassociated with the returned risk value.

FIG. 2 illustrates the fraud detection computing device 102 of FIG. 1.Fraud detection computing device 102 can include one or more processors201, working memory 202, one or more input/output devices 203,instruction memory 207, a transceiver 204, one or more communicationports 207, and a display 206, all operatively coupled to one or moredata buses 208. Data buses 208 allow for communication among the variousdevices. Data buses 208 can include wired, or wireless, communicationchannels.

Processors 201 can include one or more distinct processors, each havingone or more cores. Each of the distinct processors can have the same ordifferent structure. Processors 201 can include one or more centralprocessing units (CPUs), one or more graphics processing units (GPUs),application specific integrated circuits (ASICs), digital signalprocessors (DSPs), and the like.

Processors 201 can be configured to perform a certain function oroperation by executing code, stored on instruction memory 207, embodyingthe function or operation. For example, processors 201 can be configuredto perform one or more of any function, method, or operation disclosedherein.

Instruction memory 207 can store instructions that can be accessed(e.g., read) and executed by processors 201. For example, instructionmemory 207 can be a non-transitory, computer-readable storage mediumsuch as a read-only memory (ROM), an electrically erasable programmableread-only memory (EEPROM), flash memory, a removable disk, CD-ROM, anynon-volatile memory, or any other suitable memory.

Processors 201 can store data to, and read data from, working memory202. For example, processors 201 can store a working set of instructionsto working memory 202, such as instructions loaded from instructionmemory 207. Processors 201 can also use working memory 202 to storedynamic data created during the operation of fraud detection computingdevice 102. Working memory 202 can be a random access memory (RAM) suchas a static random access memory (SRAM) or dynamic random access memory(DRAM), or any other suitable memory.

Input-output devices 203 can include any suitable device that allows fordata input or output. For example, input-output devices 203 can includeone or more of a keyboard, a touchpad, a mouse, a stylus, a touchscreen,a physical button, a speaker, a microphone, or any other suitable inputor output device.

Communication port(s) 207 can include, for example, a serial port suchas a universal asynchronous receiver/transmitter (UART) connection, aUniversal Serial Bus (USB) connection, or any other suitablecommunication port or connection. In some examples, communicationport(s) 207 allows for the programming of executable instructions ininstruction memory 207. In some examples, communication port(s) 207allow for the transfer (e.g., uploading or downloading) of data, such asimpression data and/or engagement data.

Display 206 can display user interface 205. User interfaces 205 canenable user interaction with fraud detection computing device 102. Forexample, user interface 205 can be a user interface for an applicationof a retailer that allows a customer to initiate the return of an itemto the retailer. In some examples, a user can interact with userinterface 205 by engaging input-output devices 203. In some examples,display 206 can be a touchscreen, where user interface 205 is displayedon the touchscreen.

Transceiver 204 allows for communication with a network, such as thecommunication network 118 of FIG. 1. For example, if communicationnetwork 118 of FIG. 1 is a cellular network, transceiver 204 isconfigured to allow communications with the cellular network. In someexamples, transceiver 204 is selected based on the type of communicationnetwork 118 fraud detection computing device 102 will be operating in.Processor(s) 201 is operable to receive data from, or send data to, anetwork, such as communication network 118 of FIG. 1, via transceiver204.

FIG. 3 is a block diagram illustrating examples of various portions ofthe fraud detection system of FIG. 1. In this example, fraud detectioncomputing device 102 receives from a store 109 (e.g., from a computingdevice, such as workstation 106, at a store location) in-store salesdata 324 identifying data associated with the in-store purchase of oneor more items. In-store sales data 324 may include, for example, one ormore of the following: an identification of one or more items beingpurchased; an indication of whether a receipt has been presented; anidentification of the customer (e.g., customer ID, driver's licensenumber, a household ID, a telephone number, etc.); a sales amount (e.g.,price) of each item being returned; the method of payment used topurchase the items (e.g., credit card, cash, check); an indication ofwhether the items are currently in stock; an indication of a time periodof when the items were in stock; a product category for each item; atimestamp of when the purchase is being made; or any other data relatedto the items or purchase of the items.

Fraud detection computing device 102 may receive and parse in-storesales data 324, and may store the parsed data in database 116. Forexample, fraud detection computing device 102 may aggregate in-storesales data 324 in database 116 as aggregated in-store sales data 322,which may include in-store sales data received at various times for aplurality of customers. In this example, aggregated in-store sales data322 may include one or more of: household ID 344; timestamp 346; homeaddress 348; telephone number 350; payment data 352 (e.g., method ofpayment used to purchase the items); sales amount 354; number of items456; and product category for each item 358.

Similarly, fraud detection computing device 102 may receive from acustomer computing device 112 online sales data 326 identifying dataassociated with the online purchase of one or more items. Online salesdata 326 may include, for example, one or more of the following: anidentification of one or more items being purchased; an identificationof the customer (e.g., customer ID, driver's license number, a user ID,a telephone number, etc.); a sales amount (e.g., price) of each itembeing returned; the method of payment used to purchase the items (e.g.,credit card, cash, check); an indication of whether the items arecurrently in stock; an indication of a time period of when the itemswere in stock; a product category for each item; a timestamp of when thepurchase is being made; an IP address associated with the purchasingdevice (e.g., customer computing device 112), or any other data relatedto the items or purchase of the items.

Fraud detection computing device 102 may receive and parse online salesdata 326, and may store the parsed data in database 116. For example,fraud detection computing device 102 may aggregate online sales data 326in database 116 as aggregated online sales data 302, which may includeonline sales data received at various times for a plurality ofcustomers. In this example, aggregated online sales data 302 may includeone or more of: user ID 362; timestamp 364; IP address 366; payment data368 (e.g., method of payment used to purchase the items); sales amount370; number of items 372; and product category for each item 374.

Based on one or more of aggregated in-store sales data 322 and/oraggregated online sales data 302, fraud detection computing device 102may generate one or more time series, which may form all or part of atime series bundle. Based on the generated time series, fraud detectioncomputing device 102 may generate data that identifies and characterizesclusters of feature data as described above with respect to FIG. 1. Forexample, fraud detection computing device 102 may perform the steps ofsampling, feature extraction and standardization, and clustering basedon the generated time series. Fraud detection computing device 102 maythen store the generated clusters, and an algorithm that uses thegenerated clusters to determine anomalies, in database 116 as alertingalgorithm data 316. For example, alerting algorithm data 316 mayidentify and characterize the clusters generated based on one or moretime series, which may be generated based on one or more of aggregatedin-store sales data 322 and/or aggregated online sales data 302.Alerting algorithm data 316 may also identify and characterize thealerting algorithm described above, for example.

Based on alerting algorithm data 316, fraud detection computing device102 may identify whether a time series is associated with an anomaly,such as a fraudulent transaction. For example, fraud detection computingdevice 102 may receive in-store sales data 324 for a particular customer(e.g., as identified by household ID, credit card number, etc.) over aperiod of time, and may aggregate the in-stores sales data 324 for thatcustomer in database 116. Fraud detection computing device 102 maygenerate a time series for the particular customer based on theaggregated data for that customer, and may obtain and execute thealerting algorithm identified by alerting algorithm data 316 to thegenerated time series. Based on the execution of the alerting algorithm,fraud detection computing device 102 may generate anomaly identificationdata that identifies whether the time series is associated with ananomaly. In some examples, if fraud detection computing device 102determines that the time series is associated with an anomaly, theidentification data may also identify a risk level associated with thattime series. Fraud detection computing device 102 may transmit anomalyID data 328 that includes the anomaly identification to, for example,store 109.

Similarly, fraud detection computing device 102 may receive online salesdata 326 for a particular customer (e.g., as identified by user ID, IPaddress, etc.) over a period of time, and may aggregate the online salesdata 326 for that customer in database 116. Fraud detection computingdevice 102 may generate a time series for the particular customer basedon the aggregated data for that customer, and may obtain and execute thealerting algorithm identified by alerting algorithm data 316 to thegenerated time series. Based on the execution of the alerting algorithm,fraud detection computing device 102 may generate anomaly identificationdata that identifies whether the time series is associated with ananomaly. In some examples, if fraud detection computing device 102determines that the time series is associated with an anomaly, theidentification data may also identify a risk level associated with thattime series. Fraud detection computing device 102 may transmit anomalyID data 330 that includes the anomaly identification to, for example,customer computing device 112.

In some examples, fraud detection computing device 102 may receive oneor more of in-store sales data 324 and/or online sales data 326, anddetermine, in real-time, whether the in-store sales data 324 and/oronline sales data 326 is associated with an anomaly. For example, frauddetection computing device 102 may aggregate currently received in-storesales data 324 with previously received in-store sales data for the samecustomer, generate one or more time series based on the aggregated salesdata for the customer, and determine whether an anomaly exists based onexecution of the alerting algorithm identified by alerting algorithmdata 316. Similarly, fraud detection computing device 102 may aggregatecurrently received online sales data 326 with previously received onlinesales data for the same customer, generate one or more time series basedon the aggregated sales data for the customer, and determine whether ananomaly exists based on execution of the alerting algorithm identifiedby alerting algorithm data 316.

FIG. 4 is a block diagram illustrating examples of various portions ofthe fraud detection computing device 102 of FIG. 1. As indicated in thefigure, fraud detection computing device 102 includes time seriesdetermination engine 402, time series sampling engine 404, featureextraction engine 406, and cluster determination engine 408. In someexamples, one or more of fraud detection computing device 102 includestime series determination engine 402, time series sampling engine 404,feature extraction engine 406, and cluster determination engine 408 maybe implemented in hardware. In some examples, one or more of frauddetection computing device 102 includes time series determination engine402, time series sampling engine 404, feature extraction engine 406, andcluster determination engine 408 may be implemented as an executableprogram maintained in a tangible, non-transitory memory, such asinstruction memory 207 of FIG. 2, that may be executed by one orprocessors, such as processor 201 of FIG. 2.

Time series determination engine 402 may be operable to obtain trainingdata 420, which may include aggregated online sales data 302 and/oraggregated in-store sales data 322, and determine time series bundledata 412 identifying one or more time series of a time series bundle.For example, each time series may identify purchases made with aparticular credit card over a time period, where all of the time seriestogether identify all purchases made over that time period.

Time series sampling engine 404 may obtain time series bundle data 412,and sample time series bundle data 412 to determine a subset. Forexample, time series sampling engine 404 may execute the samplingalgorithm described above to determine a subset of time series bundledata 412, namely, sampled time series data 416. In some examples, thehyperparameter d may be provided by a user of fraud detection computingsystem 102, such as via user interface 205 using I/O device 203.

Feature extraction engine 406 may be a classifier, such as one based ona supervised learning algorithm such as Logic Regression, Support VectorMachines, Random Forest, Gradient Boosting Machines, or any othersuitable learning algorithm (e.g., machine learning algorithm) andfeature engineering techniques. Feature extraction engine 406 may obtainsampled time series data 416 and generate features for each segmentidentified in sampled time series data 416. For example, featureextraction engine 406 may generate the features based on the executionof equations 5, 6, and 7. Feature extraction engine 406 may furtherstandardize the features, such as by removing the mean and dividing bythe standard deviation of the features. For example, feature extractionengine 406 may standardize the features based on the execution ofequations 8, 9, and 10, to generate sampled segments. Feature extractionengine 406 may then map each sample segment into the standardizedfeature space according to equation 11. Feature extraction engine 406may generate time series feature data 418, which identifies andcharacterizes the sampled segments.

Cluster determination engine 408 may obtain time series feature data418, and generate clusters, such as major clusters. For example, clusterdetermination engine 408 may determine the clusters based on theexecution of one or more K-Means algorithms to determine an optimalvalue k for use in the K-Means algorithm, such as the selectionalgorithm described above, and based on the optimal value k, execute theK-Means algorithm using the determined optimal value k to cluster thesampled segments.

Based on the determined clusters, cluster determination engine 408 maydetermine which of the clusters are major clusters. Clusterdetermination engine 408 may identify the major clusters based ondetermining which clusters have a size larger than or equal to athreshold, such as θN, where N is the number of training samples. Themajor clusters will have at least the threshold number of trainingsamples.

Based on the determined major clusters, cluster determination engine maygenerate an alerting algorithm, such as the algorithm identified above,to identify time series that may be associated with an anomaly. Clusterdetermination engine 408 may store alerting algorithm data 316,identifying and characterizing the alerting algorithm, in database 116.

FIG. 5 is a flowchart of an example method 500 that can be carried outby the fraud detection system 100 of FIG. 1. Beginning at step 502, acomputing device, such as fraud detection computing device 102, receivessales data, such as in-store sales data 324, identifying andcharacterizing the sale of an item. The in-store sales data may bereceived, for example, from store 109. At step 504, the computing deviceobtains alerting algorithm data, such as alerting algorithm data 316from database 116, identifying and characterizing an alerting algorithmthat determines an anomaly with a time series. Proceeding to step 506,the sales data is parsed to determine feature data that is relevant tothe alerting algorithm. At step 508, a time series is generated based onthe parsed feature data that is relevant to the alerting algorithm.

At step 510, the alerting algorithm is executed based on the generatedtime series. Based on the execution of the alerting algorithm, at step512 a determination is made as to whether the time series is associatedwith an anomaly. If the time series is associated with an anomaly, themethod proceeds to step 514, where fraud detection computing device 102may generate data indicating that the time series is an anomaly and anassociated risk level. The risk level may be computed, for example, bythe execution of the alerting algorithm defined above. The method thenproceeds to step 518. Otherwise, if the time series is not associatedwith an anomaly, the method proceeds to step 516 where fraud computingdevice 102 generates anomaly data indicating that the time series is notassociated with an anomaly. The method then proceeds to step 518. Atstep 518, the anomaly data is transmitted. For example, the anomaly datamay be transmitted to store 109.

FIG. 6 is a flowchart of another example method 600 that can be carriedout by the fraud detection system 100 of FIG. 1. At step 602, acomputing device, such as fraud detection computing device 102, obtainstraining data identifying and characterizing a plurality of salestransactions. For example, fraud detection computing device 102 mayobtain training data 420 from database 116. At step 604, a plurality oftime series are generated based on the training data. For example, frauddetection computing device 102 may generate a training data set X={x₁, .. . , x_(m)}, where each x_(j)=(x_(j,1), . . . , x_(j,n)) is a timeseries with n timestamps. At step 606, the plurality of time series aresampled to determine a subset of the plurality of time series. Forexample, fraud detection computing device 102 may execute the samplingalgorithm described above to determine the subset of the plurality oftime series.

Proceeding to step 608, features are generated based on the subset ofthe plurality of time series. For example, given a segment z=(z₀, . . ., z_(d)) in the subset of the plurality of time series, fraud detectioncomputing device 102 may determine features based on the execution ofequations 5, 6, and 7. At step 610, the features are standardized andmapped to a standardized feature space. For example, fraud detectioncomputing device may standardize the features based on the execution ofequations 8, 9, 10, and 11. At step 612, the standardized features areclustered. For example, fraud detection computing device 102 maydetermine an optimal K-Means algorithm to execute based on the executionof the selection algorithm described above. Fraud detection computingdevice 102 may then execute the optimal K-Means algorithm to cluster thestandardized features. Proceeding to step 614, the clusters are filteredto determine major clusters. For example, to determine the majorclusters, fraud detection computing device 102 may filter out, from thegenerated clusters, small clusters whose size is less than θN, where Nis the number of training samples. At step 616, an alerting algorithm isgenerated based on the major clusters. For example, fraud detectioncomputing device 102 may generate data identifying and characterizingthe alerting algorithm defined above, and may store the alertingalgorithm data in database 116.

Although the methods described above are with reference to theillustrated flowcharts, it will be appreciated that many other ways ofperforming the acts associated with the methods can be used. Forexample, the order of some operations may be changed, and some of theoperations described may be optional.

In addition, the methods and system described herein can be at leastpartially embodied in the form of computer-implemented processes andapparatus for practicing those processes. The disclosed methods may alsobe at least partially embodied in the form of tangible, non-transitorymachine-readable storage media encoded with computer program code. Forexample, the steps of the methods can be embodied in hardware, inexecutable instructions executed by a processor (e.g., software), or acombination of the two. The media may include, for example, RAMs, ROMs,CD-ROMs, DVD-ROMs, BD-ROMs, hard disk drives, flash memories, or anyother non-transitory machine-readable storage medium. When the computerprogram code is loaded into and executed by a computer, the computerbecomes an apparatus for practicing the method. The methods may also beat least partially embodied in the form of a computer into whichcomputer program code is loaded or executed, such that, the computerbecomes a special purpose computer for practicing the methods. Whenimplemented on a general-purpose processor, the computer program codesegments configure the processor to create specific logic circuits. Themethods may alternatively be at least partially embodied in applicationspecific integrated circuits for performing the methods.

The foregoing is provided for purposes of illustrating, explaining, anddescribing embodiments of these disclosures. Modifications andadaptations to these embodiments will be apparent to those skilled inthe art and may be made without departing from the scope or spirit ofthese disclosures.

What is claimed is:
 1. A system comprising: a memory device; and acomputing device communicatively coupled to the memory device andconfigured to: receive sales data identifying a sale of at least oneitem; generate at least one time series based on the received salesdata; obtain, from the memory device, alerting data identifying analerting algorithm that is based on clusters of feature data; apply thealerting algorithm to the at least one time series to generate riskdata; determine whether the at least one time series is an anomaly basedon the risk data generated by the application of the alerting algorithmcomprising: determining that the at least one time series is not withina major cluster of the clusters of feature data; and determining thatthe at least one time series is an anomaly based on the determinationthat the at least one time series is not within the major cluster of theclusters of feature data; or determining that the at least one timeseries is within a major cluster of the clusters of feature data; anddetermining that the at least one time series is not an anomaly based ondetermining that the at least one time series is within the majorcluster of the clusters of feature data; based on the determination,generate anomaly data identifying whether the at least one time seriesis an anomaly; and transmit, in response to the received sales data, theanomaly data identifying whether the at least one time series is ananomaly.
 2. The system of claim 1, wherein the computing device isconfigured to determine a risk level for the at least one time seriesbased on a distance from the at least one time series to the majorcluster.
 3. The system of claim 1, wherein the computing device isconfigured to: obtain aggregated sales data from a database; andgenerate the at least one time series based on the received sales dataand the aggregated sales data.
 4. The system of claim 1, wherein thecomputing device is configured to: obtain aggregated sales data from adatabase; sample the aggregated sales data to determine a subset of theaggregated sales data; generate feature data identifying features of thesampled aggregated sales data; and cluster the generated feature data togenerate the clusters of feature data.
 5. The system of claim 4, whereinthe computing device is configured to: determine, out of the generatedclusters of feature data, at least one major cluster based on a numberof feature data associated with each generated cluster; and generate thealerting algorithm based on the major clusters.
 6. The system of claim4, wherein the computing device is configured to: execute a K-Meansalgorithm for a first number of clusters to generate a first set ofclusters; execute the K-Means algorithm for a second number of clustersto generate a second set of clusters; determine a first Silhouette valuefor the first set of clusters; determine a second Silhouette value forthe second set of clusters; and generate the alerting algorithm based onthe set of clusters with the higher of the first Silhouette value andthe second Silhouette value.
 7. The system of claim 4, wherein thecomputing device is configured to: randomly sample the aggregated salesdata to determine a plurality of segments, wherein the subset of theaggregated sales data comprises the plurality of segments; and generatethe feature data based on applying an algorithm to each of the pluralityof segments.
 8. The system of claim 7, wherein the computing devices isfurther configured to generate standardized feature data by:determining, for each segment of the feature data, a correspondingaverage feature value and a corresponding standard deviation; andsubtracting, from each segment of the feature data, its correspondingaverage feature value and dividing the result by the correspondingstandard deviation.
 9. The system of claim 1, wherein the computingdevice receives the sales data from a retailer's computing device, andtransmits the anomaly data to the retailer's computing device todetermine whether to allow the sale of the at least one item.
 10. Amethod comprising: receiving sales data identifying a sale of at leastone item; generating at least one time series based on the receivedsales data; obtaining alerting data identifying an alerting algorithmthat is based on clusters of feature data; applying the alertingalgorithm to the at least one time series to generate risk data;determining whether the at least one time series is an anomaly based onthe risk data generated by the application of the alerting algorithmcomprising: determining that the at least one time series is not withina major cluster of the clusters of feature data; and determining thatthe at least one time series is an anomaly based on the determinationthat the at least one time series is not within the major cluster of theclusters of feature data; or determining that the at least one timeseries is within a major cluster of the clusters of feature data; anddetermining that the at least one time series is not an anomaly based ondetermining that the at least one time series is within the majorcluster of the clusters of feature data; based on the determination,generating anomaly data identifying whether the at least one time seriesis an anomaly; and transmitting, in response to the received sales data,the anomaly data identifying whether the at least one time series is ananomaly.
 11. The method of claim 10 further comprising determining arisk level for the at least one time series based on a distance from theat least one time series to the major cluster.
 12. The method of claim10 further comprising: obtaining aggregated sales data from a database;and generating the at least one time series based on the received salesdata and the aggregated sales data.
 13. The method of claim 10 furthercomprising: obtaining aggregated sales data from a database; samplingthe aggregated sales data to determine a subset of the aggregated salesdata; generating feature data identifying features of the sampledaggregated sales data; and clustering the generated feature data togenerate the clusters of feature data.
 14. The method of claim 13further comprising: determining, out of the generated clusters offeature data, at least one major cluster based on a number of featuredata associated with each generated cluster; and generating the alertingalgorithm based on the major clusters.
 15. The method of claim 13further comprising: executing a K-Means algorithm for a first number ofclusters to generate a first set of clusters; executing the K-Meansalgorithm for a second number of clusters to generate a second set ofclusters; determining a first Silhouette value for the first set ofclusters; determining a second Silhouette value for the second set ofclusters; and generating the alerting algorithm based on the set ofclusters with the higher of the first Silhouette value and the secondSilhouette value.
 16. The method of claim 10 further comprisingreceiving the sales data from a retailer's computing device, andtransmitting the anomaly data to the retailer's computing device todetermine whether to allow the sale of the at least one item.
 17. Anon-transitory computer readable medium having instructions storedthereon, wherein the instructions, when executed by at least oneprocessor, cause a device to perform operations comprising: receivingsales data identifying a sale of at least one item; generating at leastone time series based on the received sales data; obtaining algorithmdata identifying an alerting algorithm that is based on clusters offeature data; applying the alerting algorithm to the at least one timeseries to generate risk data; determining whether the at least one timeseries is an anomaly based on the risk data generated by the applicationof the alerting algorithm comprising: determining that the at least onetime series is not within a major cluster of the clusters of featuredata; and determining that the at least one time series is an anomalybased on the determination that the at least one time series is notwithin the major cluster of the clusters of feature data; or determiningthat the at least one time series is within a major cluster of theclusters of feature data; and determining that the at least one timeseries is not an anomaly based on determining that the at least one timeseries is within the major cluster of the clusters of feature data;based on the determination, generating anomaly data identifying whetherthe at least one time series is an anomaly; and transmitting, inresponse to the received sales data, the anomaly data identifyingwhether the at least one time series is an anomaly.
 18. Thenon-transitory computer readable medium of claim 17, wherein theinstructions, when executed by the at least one processor, cause thedevice to perform additional operations comprising: obtaining aggregatedsales data from a database; sampling the aggregated sales data todetermine a subset of the aggregated sales data; generating feature dataidentifying features of the sampled aggregated sales data; andclustering the generated feature data to generate the clusters offeature data.
 19. The non-transitory computer readable medium of claim17, wherein the instructions, when executed by the at least oneprocessor, cause the device to perform additional operations comprisingreceiving the sales data from a retailer's computing device, andtransmitting the anomaly data to the retailer's computing device todetermine whether to allow the sale of the at least one item.